Additional News and Resources
China's Standard Contractual Clauses (English translation)
This resource, created by Reed Smith, provides an unofficial English translation of China’s standard contractual clauses. Read More
A look at what's in China's new SCCs
The long-awaited Chinese standard contractual clauses and SCC Regulations were finally released by the Cyberspace Administration of China Feb. 24, effective June 1. This indicates that all three major legal mechanisms under China's Personal Information Protection Law, namely CAC-led security assessment, certification by licensed professional institutions, and Chinese SCCs, are all fully established with the necessary details for implementation. Application scope According to the SCC Regulation... Read More
China’s PIPL takes effect, compliance ‘a challenge’
China’s new Personal Information Protection Law takes effect today, Nov. 1, just over two months after its adoption, with companies seeking to figure out how to best comply and regulators working to answer remaining questions. The Standing Committee of the National People’s Congress passed the law in August to “protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information.” The law includes pro... Read More
China cross-border data transfer mechanism and its implications
China’s rise on the global stage has manifested itself in many ways, and it should be no surprise that China has gained prominence in terms of its privacy and security legislation. In recent years, major pieces of legislation have been promulgated: the 2017 Cybersecurity Law, the 2021 Data Security Law and the 2021 Personal Information Protection Law. One common area of interest arising from those three laws, especially for organizations, is how cross-border data transfers will be addressed and... Read More
Will China’s new certification rules be a popular legal path for outbound data transfers?
On Nov. 1, 2021, China’s Personal Information Protection Law took effect and became the first Chinese law dedicated to protecting the personal information rights of individuals. However, due to a lack of implementation regulations and clarity, many companies face a situation where they are unsure how to comply with areas of the PIPL. Nowhere is this more of an issue than with Article 38 of the PIPL, which provides several conditions (or legal paths) that must be met before a cross-border data t... Read More
How China's draft SCCs compare with EU SCCs
On June 30, 2022, the Cyberspace Administration of China released the long-awaited draft provisions on the Standard Contract for the Cross-border Transfer of Personal Information for public consultation. The deadline to submit comments is July 29, 2022. The draft provisions were circulated pursuant to Article 38 of China’s Personal Information Protection Law, under which the government-approved standard contract is one of the lawful transfer mechanisms available that a personal information proce... Read More
Top 5 operational impacts of China’s PIPL — Part 4: Penalties and enforcement mechanisms
The Personal Information Protection Law is the first law dedicated to protecting personal information in China, provides comprehensive penalty and enforcement mechanisms, including administrative penalties, private actions, public interest actions (China’s equivalent of class actions), public security administration, and criminal penalties. Every individual or organization that acts as a data handler, including state organizations as stipulated in Article 33, will be subject to the enforcement o... Read More
Top 5 operational impacts of China's PIPL: Part 3 — Personal information protection officer
China's Personal Information Protection Law has been in effect since Nov. 1, 2021, but privacy professionals and organizations are still trying to fully grasp the law's key provisions and nuances. In this third article in a five-part series exploring the top 5 operational impacts of the PIPL, Xiaomi Head of Security and Privacy Compliance Wenkuan Song analyzes the law's personal information protection officer requirement with a look into which companies need to appoint an officer, general respon... Read More
Top-5 operational impacts of China’s PIPL: Part 2 — Obligations and rights
China's Personal Information Protection Law has been in effect since Nov. 1, 2021, but privacy professionals and organizations are still trying to fully grasp the law's key provisions and nuances. In the second of a series exploring the top-5 operational impacts of the PIPL, Rui Bai Law Firm Head of Corporate Xiaobei Li analyzed the law's legal obligations on businesses in relation to the collection, processing, provision, transfer, deletion and destruction of personal data.Full Story... Read More
Top-5 operational impacts of China's PIPL: Part 1 — Scope, key definitions and lawful handling of personal information
In this five-part series, we examine several facets of the Personal Information Protection Law of the People’s Republic of China, which came into force Nov. 1, after two rounds of public consultation. The drafting of the PIPL was heavily influenced by the EU General Data Protection Regulation, and follows GDPR closely in many areas. However, it has distinct features, scope and exclusions that global companies need to understand. A key threshold distinction between the GDPR and the PIPL relates... Read More
Demystifying Data Localization in China: A Practical Guide
This report, published by the Future of Privacy Forum, provides an overview of data localization and cross-border transfers under the current Chinese data protection regime. It examines various laws and regulations and proposes steps that data controllers can take before deciding to localize or transfer data. Read More
China bans apps over PIPL, DSL violations
South China Morning Post reports China's Ministry of Industry and Information Technology ordered 106 mobile applications to be removed from app stores over violations of the Personal Information Protection Law and Data Security Law. Following investigation and prior scrutiny, the MIIT found the companies hadn't come into compliance with data collection requirements under the law. According to Reuters, Russia banned privacy-focused browser Tor following allegations that it was enabling access ... Read More
China publishes draft data security regulations
The Cyberspace Administration of China released draft regulations for its data security laws, including the Personal Information Protection Law and others, Bloomberg reports. The draft regulations hone in on four categories of data, including personal information, while clarifying how businesses are covered and what is required of them under specific laws. Also addressed in the regulations are provisions around extraterritorial scope, cross-border data transfers, data breach notification require... Read More
China's central bank to crack down on fintech and protect privacy
The People's Bank of China will begin taking action against financial technology companies collecting and using personal data, the South China Morning Post reports. In an 8-minute keynote speech for Hong Kong's 2021 FinTech Week, the central bank's Governor Yi Gang said making stronger data protection is "an urgent matter" in light of companies collecting and leaking personal data. "We are cracking down on excessive collection of consumer data, and unfair practices that require customers to hand... Read More
Web Conference: China's PIPL Law — How it Can Affect You and What You Need to do Now
Original broadcast date: 14 October 2021 China has a new privacy law coming into force on November 1st and it can affect us all. PIPL is their data protection law and anyone who has data on Chinese residents needs to take action. Do you have Chinese visitors to your website, Chinese employees or subcontractors, do you buy from China and have information on people in China? Then you need to know more. Read More
China’s draft algorithm regulations: A first for consumer privacy
The People’s Republic of China broke new ground by announcing draft regulations on the widespread use of algorithmic recommendation technology. The regulations are, according to one expert, the first of their kind globally. And because China will soon exceed one billion internet users — roughly 20% of global internet users — these regulations will cover nearly one in five users on earth. The Internet Information Service Algorithmic Recommendation Management Provisions were released after passag... Read More
China's key enforcement agencies and lessons learned from recent actions
As explained in our previous post, China enacted its first fundamental law in cyberspace, the Cybersecurity Law, in 2016. Five years later, in 2021, China followed up with two more pieces of landmark legislation in this space: the Data Security Law and the Personal Information Protection Law. Taken as a whole, these three laws form an overarching framework that will govern data security, data protection and cybersecurity in China for years to come. Under the framework established by these three... Read More
Analyzing China's PIPL and how it compares to the EU's GDPR
On Aug. 20, 2021, the Standing Committee of China’s National People’s Congress promulgated China’s Personal Information Protection Law, which will take effect Nov. 1, 2021. Serving as China’s first comprehensive law in the personal information protection area and based on China’s Constitution, the PIPL aims to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1). From a broad... Read More
Introducing China’s New Privacy Law: PIPL
Original Broadcast Date: August 2021 Part of the IAPP Asia Privacy Forum Online 2021 Recently, the National People’s Congress of China adopted the world’s newest comprehensive privacy law — the Personal Information Protection Law. The PIPL isn’t just any other new privacy law, as China is unlike any other country. The world’s second largest economy, China is a superpower in technology and global trade with strength in tech infrastructure and components, AI and online platforms. What does PIPL,... Read More
China adopts national privacy law
The top legislative body in the People's Republic of China voted Friday to adopt a new national privacy law. The Standing Committee of the National People's Congress passed the Personal Information Protection Law at a meeting in Beijing, according to the nation's state-operated Xinhua News Agency. The sweeping law will take effect Nov. 1. With the move, the PRC joins three of the world's top four economies with an omnibus privacy law, leaving the U.S. as the only nation in the top four without ... Read More
China rolls out guidance on IoT security standards
China's Ministry of Industry and Information Technology issued guidelines for the construction of a security standard system for the Internet of Things. The guidance seeks to outline a framework that will promote public network security risk mitigation and prevention, along with development and implementation of standards for the IoT. Software security, access authentication and data security are among the standard requirements listed by MIIT.Full Story... Read More
Shanghai sets up data exchange to improve manufacturing efficiency
Shanghai City is setting up a data exchange to improve efficiency in manufacturing, Reuters reports. Vice Mayor Wu Qing said the city would encourage companies to share some data and improve data regulations. China recently passed its Personal Information Protection Law, which will be implemented 1 Nov. Editor’s note: IAPP Editorial Director Jedidiah Bracy, CIPP, reported details on PIPL’s enactment.Full Story... Read More
CAC unveils draft regulations on 'algorithmic recommendations'
The Cyberspace Administration of China released a draft of its "Internet Information Service Algorithm Recommendation Management Regulations." The regulations are meant to cover the use of "algorithmic recommendation technology" to provide information services within China. Violations could result in fines ranging from 5,000 to 30,000 yuan. The CAC is accepting public comments on the draft regulation until Sept. 26.Full Story... Read More
Shenzhen passes China's first local data law
The Standing Committee of the Shenzhen Municipal People's Congress passed China's first local data law. The "Shenzhen Special Economic Zone Data Regulations" would prohibit applications from restricting services to users who do not agree to data access agreements. Violations of the law could result fines upwards of 50 million yuan. The law will go into effect 1 Jan.Full Story... Read More
The future of data localization and cross-border transfer in China: a unified framework or a patchwork of requirements?
Until now, China’s data localization and cross-border data transfer requirements were not laid out in one piece of legislation but could be found scattered in the Cybersecurity Law and its draft implementing regulations, as well as in various sectoral regulations, which contain specific requirements applicable to data processed by entities in specific sectors. With the June 10 enactment of the Data Security Law that will take effect Sept. 1 and the upcoming Personal Information Protection La... Read More
Privacy Updates in China and India: 2 Giants Legislating Data Protection
Original Broadcast Date: April 2021 This LinkedIn Live is part of the IAPP Global Privacy Summit Online 2021 web series. China and India, two of the world’s largest markets that account for roughly 2.7 billion people, are both moving toward comprehensive data protection laws. There are expectations in both jurisdictions to see major developments by the end of this year. The two comprehensive data protection bills that have been introduced have some similarities, and certain influences of the E... Read More
China’s central bank seeks to allay digital currency privacy concerns
The People’s Bank of China is working to relieve privacy concerns associated with the nation’s digital currency, saying “controllable anonymity” was a key feature in its design, China Macro Economy reports. Research has shown mobile users are worried about having to share too much personal information, while private businesses do not trust the anonymity of payments. “Establishing both proper identification and privacy in the payment system is key,” Bank of International Settlements Head of Resea... Read More
Chinese government issues new data collection rules
The South China Morning Post reports the Chinese government published new standards for the collection of personal data, specifically defining "necessary" data collection. The definition varies based on the application and its service, but the regulation, which takes effect May 1, curbs app providers from collecting a broad range of data under a bundled consent model. Notably, the regulation will cover 39 categories of apps in some fashion.Full Story... Read More
China's Civil Code now in effect
The Civil Code of the People's Republic of China went into effect 1 Jan., China Daily reports. The code prohibits organizations from sending spam messages via text messages, phone calls and emails, as well as various surveillance activities. "It's the first time that a law defines what privacy is," Haidian District People's Court Judge Chen Changyi said. "In the past it was too vague, and that often gave us difficulties in case hearings and rulings."Full Story... Read More
A look at the extraterritorial applicability of China’s newly issued PIPL: A comparison to the EU's GDPR
On Oct. 21, 2020, the Standing Committee of the National People’s Congress of China released the draft Personal Information Protection Law to solicit public opinions. Many rules of the draft PIPL appear to be similar to those of the EU General Data Protection Regulation, including its territorial applicability. At first glance, the territorial applicability provisions of the draft PIPL bear some resemblance to those of the GDPR. However, after taking a closer look at the wording of both laws, ... Read More
Beijing Internet Court rules against social media sites in user data cases
The Beijing Internet Court ruled against Tencent Holdings and ByteDance, owner of Douyin and TikTok, in cases alleging misuse of user data, the South China Morning Post reports. Plaintiffs argued Tencent violated users’ privacy by sharing data between the WeRead and WeChat apps. Tencent was ordered to stop sharing the data and pay 6,600 yuan. In a case against Douyin over “people you may know” recommendations, the company was ordered to delete the users’ information and pay 5,231 yuan.Full Story... Read More
Federal case against TikTok claims children’s data sent to China
Twenty separate federal lawsuits filed over the past year on behalf of TikTok users in California and Illinois have been merged into one legal action in federal court, NPR reports. Through their parents, dozens of minors allege that TikTok collects information about their facial characteristics, locations and close contacts and sends that information to China. In a ruling Tuesday, federal judges said the case will be based in the U.S. District Court for the Northern District of Illinois.Full Sto... Read More
China has released its version of COPPA
China has finally released its own version of the U.S. Children's Online Privacy Protection Act. On Aug. 23, the Cyberspace Administration of China released the final version of the "Measures on Online Protection of Children’s Personal Data," which will come into force Oct. 1. The measures provide further clarity on how to protect children’s personal data online under the framework of China's Cyber Security Law. Not only do the measures have a broader application compared to its counterpart in ... Read More